Using the YUM Security plugin, it may differentiate between normal and security updates.

Features:
- Using the YUM Security plugin, it may differentiate between normal and security updates.

- Prints the number of available updates (optionally differentiating between normal and security updates).

- By default, returns a CRITICAL state when security updates are found and “ignores” any normal updates. This behaviour may be changed so that normal updates lead to a WARNING state.

- May use the system repository cache, instead of creating/updating a repository cache for the invoking user.

- Repositories may be selectively enabled or disabled for the checks.

- A timeout for the check may be set.

- If the YUM Security plugin is required but not installed, an UNKOWN state will be returned.

- If the output of YUM changes and cannot be parsed anymore, an UNKOWN state will be returned.

Documentation:
Invoking the program with the “--help” or “-h” option prints the documentation.

Invocation:

The original author had this warning in place:
“It was requested to not run as root but some experimentation has shown that package information is generally less reliable when running as a normal user. YUM incorrectly returns less or no security updates, which are shown when run as root. I believe this is due to YUM repository files not being readable by a non-privileged user (especially 3rd party repositories). If you relax the permissions on those repository files it may be possible to run this as a non-root user, but you should first check for differences in results on your systems between running as root or as an ordinary user.”

I had to add some fix to this scipt:
in line 304 the is a "limit":
if len(output) > number_total_updates + 25 / OR 25000:
I had to change this value to 50000: because output from
yum --security check-update has about 29000 lines.

I had to add some fix to this scipt:
in line 304 the is a "limit":
if len(output) > number_total_updates + 25:
I had to change this value to 25000: because output from yum --security check_update has about 23000 lines.

Worked perfectly until yesterday; I use it with -C --all-updates on Amazon AWS.

As of now it returns "Cannot find summary line in YUM output. Please make sure you have upgraded to the latest version of this plugin. If the problem persists, please contact the author for a fix" and this I am doing now.

What I'd love it to parse is these lines:

sudo yum --security check-update -v
...
There are 40 total update(s) available
Security: kernel-3.2.39-6.88.amzn1.i686 is an installed security update
Security: kernel-3.2.38-5.48.amzn1.i686 is the currently running version
...

Augmenting the excellent advice of the previous poster, here is a small diff against check_yum 0.7.1 which will allow the script to continue working with CentOS 5 while also making it compatible with the yum output format of CentOS 6:

Hello,
Thank you for this great plugin but, when I use it with RHEL6 systems, it give me errors
UNKNOWN: Security plugin for yum is required. Try to 'yum install yum-security' and then re-run this plugin. Alternatively, to just alert on any update which does not require the security plugin, try --all-updates even with installing the required package.
and in some other RHEL6 systems it give me

YUM WARNING: Cannot find summary line in yum output. Please make sure you have upgraded to the latest version of this plugin. If the problem persists, please contact the author for a fix

I reviewed this scripts code and tested on several sandbox servers. I then implemented it on multiple CentOS 5.x environments with no problems. This plugin is definitely helpful with quickly pinpointing servers that haven't been patched.

When running the check_yum plugin on Fedora 13 machines, there is a good chance you will come up with this error:

YUM WARNING: Cannot find summary line in yum output. Please make sure you have upgraded to the latest version of this plugin. If the problem persists, please contact the author for a fix

Luckily there is a simple reason for this. The good folks at Fedora just decided to change some words around in the summary output. However, this throws the plugin for a loop since it's looking for specfic text to indicate the summary output (and determine what updates are potentially available). Solution for this is to just change the text so that it matches the summary output of yum on Fedora 13 servers: